Cookies lack integrity: Real-world implications

Proceedings of the 24th USENIX Security Symposium

Volumn , Issue , 2015, Pages 707-721

  Zheng, Xiaofeng ^a,b   Jiang, Jian ^f   Liang, Jinjin ^a,b   Duan, Haixin ^a,b,c   Chen, Shuo ^d   Wan, Tao ^e   Weaver, Nicholas ^c,f  

^a TSINGHUA UNIVERSITY   (China)

^b TSINGHUA NATIONAL LABORATORY FOR INFORMATION SCIENCE AND TECHNOLOGY   (China)

^c INTERNATIONAL COMPUTER SCIENCE INSTITUTE   (United States)

^d MICROSOFT RESEARCH   (United States)

^e Huawei Canada   (Canada)

^f UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

LOSSES; NETWORK SECURITY; WEB BROWSERS;

BANK OF AMERICA; EMPIRICAL ASSESSMENT; FINANCIAL LOSS; FIREFOX; MITIGATION STRATEGY; PRIVACY VIOLATION; PROOF OF CONCEPT; REAL-WORLD;

HTTP;

EID: 84987614245     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (33)

1. Edit This Cookie. http://www.editthiscookie.com/. [accessed Feb-2015].
2. BARTH, A. HTTP State Management Mechanism. IETF RFC 6265 (2011).
3. BARTH, A. The Web Origin Concept. IETF RFC 6454 (2011).
4. BARTH, A., JACKSON, C., AND MITCHELL, J. C. Robust Defenses for Cross-Site Request Forgery. In Proceedings of the 15th CCS (2008), ACM, pp. 75–88.
5. BORTZ, A., BARTH, A., AND CZESKIS, A. Origin Cookies: Session Integrity for Web Applications. Web 2.0 Security and Privacy (W2SP) (2011).
6. CHEN, S., MAO, Z., WANG, Y.-M., AND ZHANG, M. Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments. In Proceedings of the 30th IEEE S&P (Oakland) (2009), IEEE, pp. 347–359.
7. EVANS, C. Cookie Forcing. http://scarybeastsecurity.blogspot.com/2008/11/cookie-forcing.html, 2008. [accessed Feb-2015].
8. FIELDING, R., GETTYS, J., MOGUL, J., FRYSTYK, H., MAS-INTER, L., LEACH, P., AND BERNERS-LEE, T. Hypertext Transfer Protocol–HTTP/1.1. IETF RFC 2616 (1999).
9. FIELDING, R., AND RESCHKE, J. Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. IETF RFC 7230 (2014).
10. FOUNDATION, O. OpenID Authentication 2.0 - Final. http://openid.net/specs/openid-authentication2_0.html. [accessed Feb-2015].
11. GITHUB. Yummy Cookies across Domains. https://github.com/blog/1466-yummy-cookies-across-domains, 2013. [accessed Feb-2015].
12. GLUCK, Y., HARRIS, N., AND PRADO, A. BREACH: Reviving the CRIME Attack. http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030% 20seconds.pdf, 2013. [accessed Feb-2015].
13. GOOGLESUPPORT. Block Adult Content at Your School. https://support.google.com/websearch/answer/186669?hl=en. [accessed Feb-2015].
14. HARDT, D. The OAuth 2.0 Authorization Framework. IETF RFC 6749 (2012).
15. HODGES, J., JACKSON, C., AND BARTH, A. Http Strict Transport Security (HSTS). IETF RFC 6797 (2012).
16. IEBLOG. Project Spartan and the Windows 10 January Preview Build. http://blogs.msdn.com/b/ie/archive/2015/01/22/project-spartan-and-the-windows-10-januarypreview-build.aspx. [accessed Feb-2015].
17. JACKSON, C., AND BARTH, A. Beware of Finer-Grained Origins. Proceedings of 2th W2SP (2008).
18. JACKSON, C., AND BARTH, A. ForceHTTPS: Protecting High-Security Web Sites from Network Attacks. In Proceedings of the 17th WWW (2008), ACM, pp. 525–534.
19. JOHNSTON, P., AND MOORE, R. Multiple Browser Cookie Injection Vulnerabilities. http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt, 2004. [accessed Feb-2015].
20. KELSEY, J. Compression and Information Leakage of Plaintext. In Fast Software Encryption (2002), Springer, pp. 263–276.
21. KOLŠEK, M. Session Fixation Vulnerability in Web-based Applications. http://www.acros.si/papers/session_fixation.pdf, 2002. [accessed Feb-2015].
22. KRANCH, M., AND BONNEAU, J. Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning. In Proceedings of the 22th NDSS (2015).
23. LUNDEEN, R. The Deputies Are still Confused. Blackhat EU (2013).
24. LUNDEEN, R., OU, J., AND RHODES, T. New Ways Im Going to Hack Your Web App. Blackhat AD (2011).
25. MOZZILA. Public Suffix List. https://publicsuffix.org/. [accessed Feb-2015].
26. NGINX. Module ngx http core module. http://nginx.org/en/docs/http/ngx_http_core_module.html#large_ client_header_buffers. [accessed Jun-2015].
27. PAXSON, V. Bro: A System for Detecting Network Intruders in Real-Time. Computer networks 31, 23 (1999), 2435–2463.
28. PROJECTS, T. C. HTTP Strict Transport Security. http://www.chromium.org/hsts. [accessed Feb-2015].
29. RIZZO, J., AND DUONG, T. The CRIME Attack. In EKOparty Security Conference (2012), vol. 2012.
30. SINGH, K., MOSHCHUK, A., WANG, H. J., AND LEE, W. On the Incoherencies in Web Browser Access Control Policies. In Proceedings of the 31th IEEE S&P (Oakland) (2010), IEEE, pp. 463–478.
31. WANG, R., ZHOU, Y., CHEN, S., QADEER, S., EVANS, D., AND GUREVICH, Y. Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization. In USENIX Security (2013), pp. 399–314.
32. ZALEWSKI, M. The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, 2012.
33. ZHOU, Y., AND EVANS, D. Why Arent HTTP-only Cookies More Widely Deployed. Proceedings of 4th W2SP 2 (2010).